2) To avoid putting users' DiskStation at risk, please don't paste links to any patches provided by our Support team as we will systematically remove them. Our Support team will provide the correct patch for your DiskStation model.

I'm trying to set up a secure FTP, so for this I've imported self-signed certificate with stronger cipher suites only - those with EC(DHE/DSA). I tried several clients having OpenSSL 1.0.2h. My synology in /usr/bin/openssl shows version 1.0.2h-fips. So, I would say they are equal.

1) I tried to connect using Let's Encrypt certificate first (which has RSA private key) and is created by Synology dialog. Either with AUTH TLS or AUTH SSL, both work ok, and I can authenticate and connect to the FTPS server.

2) With self-signed certificate (having EC private key) I always get the following errors. My friend tried this certificate with another Linux FTP server and is working fine. To me it sounds like there is something wrong in configuration in Synology's FTP or is missing something (libraries, certificates?):

Question: I am having trouble connecting to my SSL/TLS-enabled proftpd; my FTPS client shows this error:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
What is wrong?
Answer: It depends; the first thing is to check your TLSLog to see what errors, if any, are logged by the mod_tls module. For example, you might see:
Dec 14 10:47:58 mod_tls/2.4.1[13393]: unable to accept TLS connection: protocol error:
(1) error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
The most common causes of these problems are: a) overly restrictive TLSCipherSuite configuration, or b) missing server certificate (i.e. TLSRSACertificateFile, TLSDSACertificateFile, or TLSPKCS12File). The file configured for the server certificate might also be badly formatted, which would result in the same error.

Thank you

UPDATE 1
I searched synology what FTP server is running there. Just call /usr/bin/ftpd -v. I get with DSM 6.0u1 the version SmbFTPD Ver 2.0 which is from Sat. May. 24, 2008 !!!!!

UPDATE 3
Synology is checking the issue with EC certificate... Note: Synology use old version of SmbFTPD but applies its own updates. Just to clarify my initial shock.

RESULT
After long communication with support, Synology supports RSA certificates only. Import of ECDSA certificates in Control Panel is a bug, because it's not supported. It has been passed as a feature request, so we will see in the future.

Features:
- Removed SITE MD5 support. It would waste too much server resource.
- Added SSLCipherSuite config option to changing acceptable ciphers.
- Supported DH and ECDH cipher suites.
- Implemented CCC command to allow clear control channel protection.
- Implemented MLST and MLSD commands to compliant with RFC3659.
- Implemented more detailed server status for STAT command.
- For the password encryption of Virtual User, we use SHA512 by default.
- Please NOTE, if you use MySQL or PostgreSQL as Virtual User backend,
the Crypt type "md5" and "password"(mysql) has been removed. It is suggested
to use "crypt" type. Please see the new smbftpd_pgsql.conf Crypt setting
for detail.

==============================================================================
* Fri. Aug. 22, 2008 Alex Wang
[2.1]
Bug fixes:
- Set default transfer mode to binary not ASCII.
- Change the rule of unique file name from "local.jpg.XX" to "local.XX.jpg"
- Support Russian reversed 'R' (0xff) charactor in file name.
- The Windows IE still send "opt utf on" when UTF-8 is not enabled. We should
block the command so the IE will use correct encoding.